IT Brief New Zealand - Technology news for CIOs & IT decision-makers
New Zealand

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Office pc social network warning suspicious file download cursor
#
Firewalls
#
Endpoint Protection
#
DevOps

LinkedIn DMs abused to spread Python-based malware

Wed, 21st Jan 2026
Author image
By Catherine Knowles, News Editor

ReliaQuest has detailed a phishing campaign that uses social media private messages to distribute a malicious archive and run an open-source Python penetration-testing script as part of an infection chain.

The company said the activity relied on direct messages on LinkedIn and combined several established techniques with a tool it had not seen used in comparable attacks.

"Central to this campaign is an unusual tactic: the execution of an open-source, Python pen-testing script that our team had not observed in similar attacks before," said The ReliaQuest Threat Research team.

Social media lure

The campaign started with a phishing message delivered through LinkedIn private messages. The message directed recipients to download a WinRAR self-extracting archive.

ReliaQuest said the attackers used LinkedIn's professional setting to build trust with targets in corporate environments. The company described the targets as high-value individuals and said the same approach could work on other platforms accessed on business devices.

ReliaQuest also framed the incident as part of a wider shift in how phishing attempts reach staff. The company said organisations often focus their controls on email and leave gaps around messaging apps, search engines, and social platforms.

"This campaign serves as a reminder that phishing isn't confined to email inboxes. Phishing attacks take place over alternative channels like social media, search engines, and messaging apps-platforms that many organizations still overlook in their security strategies," said The ReliaQuest Threat Research team.

Archive contents

ReliaQuest said the self-extracting archive unpacked multiple components. These included a legitimate PDF reader application, a malicious Dynamic Link Library file, a portable executable of a Python interpreter, and a RAR file that ReliaQuest said likely acted as a decoy.

The company said the attackers tailored filenames to recipients' roles or industries. It gave examples such as "Upcoming_Products.pdf" and "Project_Execution_Plan.exe". ReliaQuest said this technique aimed to raise the likelihood that a recipient would open the file.

DLL sideloading

ReliaQuest said the attack chain used DLL sideloading after the victim opened the extracted PDF reader. The technique places a malicious DLL in the same directory as a legitimate application. ReliaQuest said the application loaded the local DLL before checking the system directory.

ReliaQuest said the attacker's code then ran under the PDF reader's process. The company linked this to evasion from endpoint security tooling and to activity that can appear consistent with legitimate application behaviour.

Python execution

After the DLL executed, ReliaQuest said it dropped a Python interpreter onto the system and created a persistent registry Run key. The company said this Run key included embedded Python code.

ReliaQuest said the interpreter executed an open-source shellcode runner script encoded in Base64. It said the script decoded in memory using Python's exec() function. The company said this reduced disk artefacts.

ReliaQuest said it observed command-and-control activity during analysis. It described frequent attempts to contact a command-and-control server. The company associated that behaviour with remote access trojans.

Open-source tools

ReliaQuest said the operation showed how attackers use legitimate tools and widely available code. It said the use of an open-source Python penetration-testing script reduced the need for custom malware development.

It also said open-source tools can complicate attribution. ReliaQuest said the attacker used the script directly from its public repository without modifications.

"What makes this campaign particularly concerning is its strategic use of social media's credibility, combined with the weaponization of legitimate open-source tools. This combination not only lowers the technical barrier for attackers but also boosts their odds of success," said The ReliaQuest Threat Research team.

Broader pattern

ReliaQuest placed the campaign alongside other social media-based delivery efforts that have distributed remote access trojans and backdoors. It referenced financially motivated groups FIN6 and Cobalt Group and their use of social media spearphishing to distribute the "More_eggs" backdoor. It also referenced North Korean group Lazarus and "Operation Dangerous Password" also known as "CryptoCore".

ReliaQuest said social platforms provide reconnaissance opportunities through public job titles and role descriptions. It said this information can guide targeting and message crafting, including naming files in ways that appear relevant to a recipient's work.

The company said organisations should treat social media as part of their attack surface and review how staff access these platforms on corporate devices. ReliaQuest said social media platforms would likely see increased targeting over the next 12-24 months.

Related stories
ManageEngine boosts Site24x7 with causal, agentic AI
Data-only extortion surges as remote access abused
Asia-Pacific firms hit tech hurdles scaling agentic AI
Check Point named GigaOm cloud network security leader
Gallagher & M.C. Dean deepen global security pact

Top stories

OT cyber threats shift from spying to disruption in 2025
LockBit 5.0 ransomware targets Windows, Linux, ESXi
Veriff & Data Zoo partner to combat AI identity fraud
CompTIA launches SecAI+ to tackle AI security skills
Proofpoint revamps global partner network for AI era